• Table of Contents

  Page 7

• + Preface

  Page 13

  • Web Security: Is Our Luck Running Out?

    Page 16

  • About This Book

    Page 20

  • Conventions Used in This Book

    Page 25

  • Comments and Questions

    Page 26

  • History and Acknowledgments

    Page 26

• + PART I. Web Technology

  Page 31

  • + Chapter 1. The Web Security Landscape

    Page 33

    • The Web Security Problem

      Page 33

    • Risk Analysis and Best Practices

      Page 40

  • + Chapter 2. The Architecture of the World Wide Web

    Page 43

    • History and Terminology

      Page 43

    • A Packet’s Tour of the Web

      Page 50

    • Who Owns the Internet?

      Page 63

  • + Chapter 3. Cryptography Basics

    Page 76

    • Understanding Cryptography

      Page 76

    • Symmetric Key Algorithms

      Page 83

    • Public Key Algorithms

      Page 95

    • Message Digest Functions

      Page 101

  • + Chapter 4. Cryptographyand the Web

    Page 108

    • Cryptography and Web Security

      Page 108

    • Working Cryptographic System sand Protocols

      Page 111

    • What Cryptography Can’t Do

      Page 118

    • Legal Restrictions on Cryptography

      Page 120

  • + Chapter 5. Understanding SSL and TLS

    Page 137

    • What Is SSL?

      Page 137

    • SSL: The User’s Point of View

      Page 145

  • + Chapter 6. Digital Identification I: Passwords, Biometrics, and Digital Signatures

    Page 149

    • Physical Identification

      Page 149

    • Using Public Keys for Identification

      Page 160

    • Real-World Public Key Examples

      Page 170

  • + Chapter 7. Digital Identification II: Digital Certificates, CAs, and PKI

    Page 183

    • Understanding Digital Certificates with PGP

      Page 183

    • Public Key Infrastructure

      Page 204

    • Open Policy Issues

      Page 217

• + PART II. Privacy and Security for Users

  Page 231

  • + Chapter 8. The Web’s War on Your Privacy

    Page 233

    • Understanding Privacy

      Page 234

    • User-Provided Information

      Page 237

    • Log Files

      Page 240

    • Understanding Cookies

      Page 246

    • Web Bugs

      Page 255

    • Conclusion

      Page 259

  • + Chapter 9. Privacy-Protecting Techniques

    Page 260

    • Choosing a Good Service Provider

      Page 260

    • Picking a Great Password

      Page 261

    • Cleaning Up After Yourself

      Page 272

    • Avoiding Spam and Junk Email

      Page 282

    • Identity Theft

      Page 286

  • + Chapter 10. Privacy-Protecting Technologies

    Page 292

    • Blocking Ads and Crushing Cookies

      Page 292

    • Anonymous Browsing

      Page 298

    • Secure Email

      Page 305

  • + Chapter 11. Backups and Antitheft

    Page 314

    • Using Backups to Protect Your Data

      Page 314

    • Preventing Theft

      Page 325

  • + Chapter 12. Mobile Code I: Plug-Ins, ActiveX, and Visual Basic

    Page 328

    • When Good Browsers Go Bad

      Page 329

    • Helper Applications and Plug-ins

      Page 334

    • Microsoft’s ActiveX

      Page 338

    • The Risks of Downloaded Code

      Page 348

    • Conclusion

      Page 356

  • + Chapter 13. Mobile Code II: Java, JavaScript, Flash, and Shockwave

    Page 357

    • Java

      Page 357

    • JavaScript

      Page 376

    • Flash and Shockwave

      Page 388

    • Conclusion

      Page 389

• + PART III. Web Server Security

  Page 391

  • + Chapter 14. Physical Security for Servers

    Page 393

    • Planning for the Forgotten Threats

      Page 393

    • Protecting Computer Hardware

      Page 396

    • Protecting Your Data

      Page 411

    • Personnel

      Page 422

    • Story: A Failed Site Inspection

      Page 422

  • + Chapter 15. Host Security for Servers

    Page 426

    • Current Host Security Problems

      Page 427

    • Securing the Host Computer

      Page 435

    • Minimizing Risk by Minimizing Services

      Page 441

    • Operating Securely

      Page 443

    • Secure Remote Access and ContentUpdating

      Page 453

    • Firewalls and the Web

      Page 461

    • Conclusion

      Page 463

  • + Chapter 16. Securing Web Applications

    Page 465

    • A Legacy of Extensibility and Risk

      Page 465

    • Rules to Code By

      Page 473

    • Securely Using Fields, Hidden Fields, and Cookies

      Page 478

    • Rules for Programming Languages

      Page 484

    • Using PHP Securely

      Page 487

    • Writing Scripts That Run with Additional Privileges

      Page 497

    • Connecting to Databases

      Page 498

    • Conclusion

      Page 501

  • + Chapter 17. Deploying SSL Server Certificates

    Page 502

    • Planning for Your SSL Server

      Page 502

    • Creating SSL Servers with FreeBSD

      Page 507

    • Installing an SSL Certificate on Microsoft IIS

      Page 531

    • Obtaining a Certificate from a Commercial CA

      Page 533

    • When Things Go Wrong

      Page 536

  • + Chapter 18. Securing Your Web Service

    Page 540

    • Protecting Via Redundancy

      Page 540

    • Protecting Your DNS

      Page 544

    • Protecting Your Domain Registration

      Page 545

  • + Chapter 19. Computer Crime

    Page 547

    • Your Legal Options After a Break-In

      Page 547

    • Criminal Hazards

      Page 553

    • Criminal Subject Matter

      Page 556

• + PART IV. Security for Content Providers

  Page 561

  • + Chapter 20. Controlling Access to Your Web Content

    Page 563

    • Access Control Strategies

      Page 563

    • Controlling Access with Apache

      Page 568

    • Controlling Access with Microsoft IIS

      Page 575

  • + Chapter 21. Client-Side Digital Certificates

    Page 580

    • Client Certificates

      Page 580

    • A Tour of the VeriSign Digital ID Center

      Page 583

  • + Chapter 22. Code Signing and Microsoft’s Authenticode

    Page 590

    • Why Code Signing?

      Page 590

    • Microsoft’s Authenticode Technology

      Page 594

    • Obtaining a Software Publishing Certificate

      Page 607

    • Other Code Signing Methods

      Page 607

  • + Chapter 23. Pornography, Filtering Software, and Censorship

    Page 609

    • Pornography Filtering

      Page 609

    • PICS

      Page 612

    • RSACi

      Page 619

    • Conclusion

      Page 621

  • + Chapter 24. Privacy Policies, Legislation, and P3P

    Page 622

    • Policies That Protect Privacy and Privacy Policies

      Page 622

    • Children’s Online Privacy Protection Act

      Page 631

    • P3P

      Page 636

    • Conclusion

      Page 639

  • + Chapter 25. Digital Payments

    Page 640

    • Charga-Plates, Diners Club, and Credit Cards

      Page 640

    • Internet-Based Payment Systems

      Page 650

    • How to Evaluate a Credit Card Payment System

      Page 670

  • + Chapter 26. Intellectual Property and Actionable Content

    Page 672

    • Copyright

      Page 672

    • Patents

      Page 675

    • Trademarks

      Page 676

    • Actionable Content

      Page 680

• + PART V. Appendixes

  Page 683

  • + Appendix A. Lessons from Vineyard.NET

    Page 685

    • In the Beginning

      Page 685

    • Planning and Preparation

      Page 686

    • IP Connectivity

      Page 689

    • Commercial Start-Up

      Page 690

    • Ongoing Operations

      Page 697

    • Redundancy and Wireless

      Page 710

    • The Big Cash-Out

      Page 715

    • Conclusion

      Page 717

  • + Appendix B. The SSL/TLS Protocol

    Page 718

    • History

      Page 718

    • TLS Record Layer

      Page 719

    • SSL/TLS Protocols

      Page 720

    • SSL 3.0/TLS Handshake

      Page 722

  • + Appendix C. P3P: The Platform for Privacy Preferences Project

    Page 729

    • How P3P Works

      Page 729

    • Deploying P3P

      Page 732

    • Simple P3P-Enabled Web Site Example

      Page 736

  • + Appendix D. The PICS Specification

    Page 738

    • Rating Services

      Page 738

    • PICS Labels

      Page 740

  • + Appendix E. References

    Page 746

    • Electronic References

      Page 746

    • Paper References

      Page 759

• + Index

  Page 765

  • Symbols

    Page 765

  • Numbers

    Page 765

  • A

    Page 765

  • B

    Page 767

  • C

    Page 767

  • D

    Page 770

  • E

    Page 771

  • F

    Page 772

  • G

    Page 772

  • H

    Page 773

  • I

    Page 773

  • J

    Page 775

  • K

    Page 775

  • L

    Page 775

  • M

    Page 776

  • N

    Page 777

  • O

    Page 778

  • P

    Page 778

  • Q

    Page 780

  • R

    Page 780

  • S

    Page 781

  • T

    Page 783

  • U

    Page 784

  • V

    Page 785

  • W

    Page 785

  • X

    Page 786

  • Y

    Page 786

  • Z

    Page 786

• About the Author

  Page 787

• Colophon

  Page 787

Since the first edition of this classic reference was published, World Wide Web use has exploded and e-commerce has become a daily part of business and personal life. As Web use has grown, so have the threats to our security and privacy--from credit card fraud to routine invasions of privacy by marketers to web site defacements to attacks that shut down popular web sites.

Web Security, Privacy & Commerce goes behind the headlines, examines the major security risks facing us today, and explains how we can minimize them. It describes risks for Windows and Unix, Microsoft Internet Explorer and Netscape Navigator, and a wide range of current programs and products. In vast detail, the book covers:

• Web technology--The technological underpinnings of the modern Internet and the cryptographic foundations of e-commerce are discussed, along with SSL (the Secure Sockets Layer), the significance of the PKI (Public Key Infrastructure), and digital identification, including passwords, digital signatures, and biometrics.

• Web privacy and security for users--Learn the real risks to user privacy, including cookies, log files, identity theft, spam, web logs, and web bugs, and the most common risk, users' own willingness to provide e-commerce sites with personal information. Hostile mobile code in plug-ins, ActiveX controls, Java applets, and JavaScript, Flash, and Shockwave programs are also covered.

• Web server security--Administrators and service providers discover how to secure their systems and web services. Topics include CGI, PHP, SSL certificates, law enforcement issues, and more.

• Web content security--Zero in on web publishing issues for content providers, including intellectual property, copyright and trademark issues, P3P and privacy policies, digital payments, client-side digital signatures, code signing, pornography filtering and PICS, and other controls on web content.

Nearly double the size of the first edition, this completely updated volume is destined to be the definitive reference on Web security risks and the techniques and technologies you can use to protect your privacy, your organization, your system, and your network.